<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">OpenSSL 1.0.2 ceased being supported at the beginning of this year.<div class=""><br class=""></div><div class="">If you are deviating in any way from the prescribed build instructions (you did read the security policy didn’t you?) you are not FIPS compliant.</div><div class="">Not using the OpenSSL Makefile is such a deviation. My suspicion is that you are not and never have been FIPS compliant.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Pauli<br class=""><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">-- <br class="">Dr Paul Dale | Distinguished Architect | Cryptographic Foundations <br class="">Phone +61 7 3031 7217<br class="">Oracle Australia</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 7 Jul 2020, at 3:36 pm, Shirisha Dasari via openssl-users <<a href="mailto:openssl-users@openssl.org" class="">openssl-users@openssl.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi All,<div class=""><br class=""></div><div class="">We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS compliance. Post integration, we have been able to run in FIPS mode, with all self-tests passing as well. However, we seem to be encountering issues in creation and parsing of ECDSA keys.</div><div class=""><br class=""></div><div class="">A little background on how we build the shared libcrypto library:</div><div class=""><br class=""></div><div class="">TARGET: x86_64 </div><div class="">BUILD HOST: x86_64<br class=""></div><div class=""><br class=""></div><div class="">We do not use the OpenSSL Makefile to build the OpenSSL source. Our build infrastructure creates multiple static archives from the OpenSSL crypto source and finally creates a libcrypto.a from these archives as required by fipsld. The fipscanister.o and libcrypto.a are archived to create the final libcrypto.a and passed onto fipsld for creation of a dynamic library, libcrypto.so. fips_premain_dso gets built as a part of the build process too for generation of signature. These steps mimic the OpenSSL opensource Makefile.</div><div class=""><br class=""></div><div class="">fipsld embeds the signature into the final libcrypto.so successfully and we are able to get into FIPS mode successfully at run time. Self-tests pass as well.</div><div class=""><br class=""></div><div class="">Issue:</div><div class=""><br class=""></div><div class="">While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of ECDSA key fails. DSA and RSA key creation and parsing do not have this issue. Note that the ECDSA key was generated in FIPS mode and is being parsed in FIPS mode itself.</div><div class=""><br class=""></div><div class="">
root@localhost:/home/admin#
openssl ec -in ssh_host_key_ecdsa -text -noout</div><div class="">read EC key<br class="">unable to load Key<br class="">140020611143360:error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370:<br class="">140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172:<br class="">140020611143360:error:100D508E:elliptic curve routines:ECKEY_PRIV_DECODE:decode error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256:<br class="">140020611143360:error:0606F091:digital envelope routines:EVP_PKCS82PKEY:private key decode error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92:<br class="">140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142:<br class="">root@localhost:/home/admin# <br class=""></div><div class=""><br class=""></div><div class="">A portion of the sample ECDSA key generated with curve secp384r1 via ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f
ssh_host_key_ecdsa" is provided below:</div><div class=""><br class=""></div><div class="">-----BEGIN PRIVATE KEY-----<br class="">MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD<br class="">........</div><div class="">........<br class="">-----END PRIVATE KEY-----<br class=""></div><div class=""><br class=""></div><div class=""> A few questions related to this:</div><div class=""><br class=""></div><div class="">1) Is there a specific need to build the OpenSSL source only via the provided Makefile? </div><div class="">2) FIPS self test for ECDSA passes but the key creation/parsing fails. Could this indicate that the FIPS module APIs are not getting invoked in the case of ECDSA?</div><div class=""><br class=""></div><div class="">-- <br class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class="">Thanks & Regards,<div class="">Shirisha.</div></div></div></div></div>
</div></blockquote></div><br class=""></div></body></html>